2018-11-18 11:00:15 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-09-29 09:46:39 +05:30
|
|
|
class GroupPolicy < BasePolicy
|
2019-12-04 20:38:33 +05:30
|
|
|
include FindGroupProjects
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
desc "Group is public"
|
|
|
|
with_options scope: :subject, score: 0
|
|
|
|
condition(:public_group) { @subject.public? }
|
|
|
|
|
|
|
|
with_score 0
|
|
|
|
condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }
|
|
|
|
|
|
|
|
condition(:has_access) { access_level != GroupMember::NO_ACCESS }
|
2016-09-29 09:46:39 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
condition(:guest) { access_level >= GroupMember::GUEST }
|
2018-03-17 18:26:18 +05:30
|
|
|
condition(:developer) { access_level >= GroupMember::DEVELOPER }
|
2017-09-10 17:25:29 +05:30
|
|
|
condition(:owner) { access_level >= GroupMember::OWNER }
|
2018-11-18 11:00:15 +05:30
|
|
|
condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
|
2017-09-10 17:25:29 +05:30
|
|
|
condition(:reporter) { access_level >= GroupMember::REPORTER }
|
2016-09-29 09:46:39 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
condition(:has_parent, scope: :subject) { @subject.has_parent? }
|
|
|
|
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
|
|
|
|
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
|
|
|
|
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
condition(:has_projects) do
|
2019-12-04 20:38:33 +05:30
|
|
|
group_projects_for(user: @user, group: @subject).any?
|
2016-09-29 09:46:39 +05:30
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
|
|
|
with_options scope: :subject, score: 0
|
|
|
|
condition(:request_access_enabled) { @subject.request_access_enabled }
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
condition(:create_projects_disabled) do
|
|
|
|
@subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
|
|
|
|
end
|
|
|
|
|
|
|
|
condition(:developer_maintainer_access) do
|
|
|
|
@subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
condition(:maintainer_can_create_group) do
|
|
|
|
@subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
|
|
|
|
end
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
condition(:design_management_enabled) do
|
|
|
|
group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
|
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
condition(:dependency_proxy_available) do
|
|
|
|
@subject.dependency_proxy_feature_available?
|
|
|
|
end
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
desc "Deploy token with read_package_registry scope"
|
|
|
|
condition(:read_package_registry_deploy_token) do
|
|
|
|
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
|
|
|
|
end
|
|
|
|
|
|
|
|
desc "Deploy token with write_package_registry scope"
|
|
|
|
condition(:write_package_registry_deploy_token) do
|
|
|
|
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry
|
|
|
|
end
|
|
|
|
|
|
|
|
with_scope :subject
|
|
|
|
condition(:resource_access_token_available) { resource_access_token_available? }
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
with_scope :subject
|
|
|
|
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
rule { design_management_enabled }.policy do
|
|
|
|
enable :read_design_activity
|
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
rule { public_group }.policy do
|
|
|
|
enable :read_group
|
2019-12-26 22:10:19 +05:30
|
|
|
enable :read_package
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
2020-05-24 23:13:21 +05:30
|
|
|
rule { logged_in_viewable }.enable :read_group
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
rule { guest }.policy do
|
|
|
|
enable :read_group
|
|
|
|
enable :upload_file
|
|
|
|
end
|
|
|
|
|
2019-12-21 20:55:43 +05:30
|
|
|
rule { admin }.policy do
|
|
|
|
enable :read_group
|
|
|
|
enable :update_max_artifacts_size
|
|
|
|
end
|
2018-05-09 12:01:36 +05:30
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
rule { can?(:read_all_resources) }.policy do
|
|
|
|
enable :read_confidential_issues
|
|
|
|
end
|
|
|
|
|
2018-05-09 12:01:36 +05:30
|
|
|
rule { has_projects }.policy do
|
2019-12-21 20:55:43 +05:30
|
|
|
enable :read_group
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { can?(:read_group) }.policy do
|
|
|
|
enable :read_milestone
|
2019-03-13 22:55:13 +05:30
|
|
|
enable :read_list
|
2018-05-09 12:01:36 +05:30
|
|
|
enable :read_label
|
2020-03-13 15:44:24 +05:30
|
|
|
enable :read_board
|
2020-11-24 15:15:51 +05:30
|
|
|
enable :read_group_member
|
2021-01-29 00:20:46 +05:30
|
|
|
enable :read_custom_emoji
|
2018-05-09 12:01:36 +05:30
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
rule { ~can?(:read_group) }.policy do
|
|
|
|
prevent :read_design_activity
|
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
rule { has_access }.enable :read_namespace
|
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
rule { developer }.policy do
|
|
|
|
enable :admin_milestone
|
2020-04-22 19:07:51 +05:30
|
|
|
enable :create_metrics_dashboard_annotation
|
|
|
|
enable :delete_metrics_dashboard_annotation
|
|
|
|
enable :update_metrics_dashboard_annotation
|
2021-01-29 00:20:46 +05:30
|
|
|
enable :create_custom_emoji
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
rule { reporter }.policy do
|
2020-04-22 19:07:51 +05:30
|
|
|
enable :reporter_access
|
2019-10-12 21:52:04 +05:30
|
|
|
enable :read_container_image
|
2018-03-27 19:54:05 +05:30
|
|
|
enable :admin_label
|
|
|
|
enable :admin_list
|
|
|
|
enable :admin_issue
|
2020-04-22 19:07:51 +05:30
|
|
|
enable :read_metrics_dashboard_annotation
|
2020-07-28 23:09:34 +05:30
|
|
|
enable :read_prometheus
|
2021-01-03 14:25:43 +05:30
|
|
|
enable :read_package
|
2018-03-27 19:54:05 +05:30
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2018-11-18 11:00:15 +05:30
|
|
|
rule { maintainer }.policy do
|
2017-09-10 17:25:29 +05:30
|
|
|
enable :create_projects
|
|
|
|
enable :admin_pipeline
|
|
|
|
enable :admin_build
|
2019-02-15 15:39:39 +05:30
|
|
|
enable :read_cluster
|
|
|
|
enable :add_cluster
|
|
|
|
enable :create_cluster
|
|
|
|
enable :update_cluster
|
|
|
|
enable :admin_cluster
|
2020-04-08 14:13:33 +05:30
|
|
|
enable :read_deploy_token
|
2020-11-24 15:15:51 +05:30
|
|
|
enable :create_jira_connect_subscription
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
rule { owner }.policy do
|
|
|
|
enable :admin_group
|
|
|
|
enable :admin_namespace
|
|
|
|
enable :admin_group_member
|
|
|
|
enable :change_visibility_level
|
2018-11-20 20:47:30 +05:30
|
|
|
|
|
|
|
enable :set_note_created_at
|
2019-10-12 21:52:04 +05:30
|
|
|
enable :set_emails_disabled
|
2020-05-24 23:13:21 +05:30
|
|
|
enable :update_default_branch_protection
|
2020-07-02 01:45:43 +05:30
|
|
|
enable :create_deploy_token
|
|
|
|
enable :destroy_deploy_token
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
rule { can?(:read_nested_project_resources) }.policy do
|
|
|
|
enable :read_group_activity
|
|
|
|
enable :read_group_issues
|
|
|
|
enable :read_group_boards
|
|
|
|
enable :read_group_labels
|
|
|
|
enable :read_group_milestones
|
|
|
|
enable :read_group_merge_requests
|
2020-10-24 23:57:45 +05:30
|
|
|
enable :read_group_build_report_results
|
2018-11-08 19:23:39 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
rule { can?(:read_cross_project) & can?(:read_group) }.policy do
|
|
|
|
enable :read_nested_project_resources
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
rule { owner }.enable :create_subgroup
|
|
|
|
rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
|
2017-09-10 17:25:29 +05:30
|
|
|
|
|
|
|
rule { public_group | logged_in_viewable }.enable :view_globally
|
|
|
|
|
|
|
|
rule { default }.enable(:request_access)
|
|
|
|
|
|
|
|
rule { ~request_access_enabled }.prevent :request_access
|
|
|
|
rule { ~can?(:view_globally) }.prevent :request_access
|
|
|
|
rule { has_access }.prevent :request_access
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
rule { developer & developer_maintainer_access }.enable :create_projects
|
|
|
|
rule { create_projects_disabled }.prevent :create_projects
|
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
rule { owner | admin }.enable :read_statistics
|
|
|
|
|
2019-10-31 01:37:42 +05:30
|
|
|
rule { maintainer & can?(:create_projects) }.enable :transfer_projects
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
rule { read_package_registry_deploy_token }.policy do
|
|
|
|
enable :read_package
|
|
|
|
enable :read_group
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { write_package_registry_deploy_token }.policy do
|
|
|
|
enable :create_package
|
2021-01-29 00:20:46 +05:30
|
|
|
enable :read_package
|
2021-01-03 14:25:43 +05:30
|
|
|
enable :read_group
|
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
rule { can?(:read_group) & dependency_proxy_available }
|
|
|
|
.enable :read_dependency_proxy
|
|
|
|
|
|
|
|
rule { developer & dependency_proxy_available }
|
|
|
|
.enable :admin_dependency_proxy
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
rule { resource_access_token_available & can?(:admin_group) }.policy do
|
|
|
|
enable :admin_resource_access_tokens
|
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
rule { support_bot & has_project_with_service_desk_enabled }.policy do
|
|
|
|
enable :read_label
|
|
|
|
end
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
def access_level
|
|
|
|
return GroupMember::NO_ACCESS if @user.nil?
|
2020-08-19 02:56:42 +05:30
|
|
|
return GroupMember::NO_ACCESS unless user_is_user?
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
@access_level ||= lookup_access_level!
|
|
|
|
end
|
|
|
|
|
|
|
|
def lookup_access_level!
|
|
|
|
@subject.max_member_access_for_user(@user)
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
2020-08-19 02:56:42 +05:30
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def user_is_user?
|
|
|
|
user.is_a?(User)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
|
|
|
def group
|
|
|
|
@subject
|
|
|
|
end
|
|
|
|
|
|
|
|
def resource_access_token_available?
|
|
|
|
true
|
|
|
|
end
|
2016-09-29 09:46:39 +05:30
|
|
|
end
|
2019-12-04 20:38:33 +05:30
|
|
|
|
|
|
|
GroupPolicy.prepend_if_ee('EE::GroupPolicy')
|